#!/usr/bin/perl
#
use strict;
use warnings;
use Data::Dumper;
 
binmode STDOUT, ":utf8";
#use utf8;
 
use JSON;

use lib '.';
use users;
my ($username,$level) = &validate;
my ($realm) = get_realm();
if ($level > 5) { &dienice("You must be an administrator to run this");}

require "doa_subs.pl";

sub save_file($) {

	my ($q) = @_;
	my ($bytesread, $buffer);
	my $num_bytes = 1024;
	my $totalbytes;
	my $filename = $q->upload('filename');
	my $untainted_filename;

	if (!$filename) {
		print $q->p('You must enter a filename before you can upload it');
	return;
	}

	# Untaint $filename

	if ($filename =~ /^([-\@:\/\\\w.]+)$/) {
		$untainted_filename = $1;
	} else {
		die_nice ("Unsupported characters in the filename $filename. ");
	}

	if ($untainted_filename =~ m/\.\./) {
		die_nice ("Your upload filename may not contain the sequence '..' ");
	}

	my $file = "/var/www/cgi-bin/activity/$untainted_filename";

	print "Uploading $filename to $file<BR>";

	# If running this on a non-Unix/non-Linux/non-MacOS platform, be sure to 
	# set binmode on the OUTFILE filehandle, refer to 
	#    perldoc -f open 
	# and
	#    perldoc -f binmode

	open (OUTFILE, ">", "$file") or die_nice ("Couldn't open $file for writing: $!");

	while ($bytesread = read($filename, $buffer, $num_bytes)) {
		$totalbytes += $bytesread;
		print OUTFILE $buffer;
	}
	die_nice ("Read failure") unless defined($bytesread);
	unless (defined($totalbytes)) {
		print "<p>Error: Could not read file ${untainted_filename}, ";
		print "or the file was zero length.";
	} else {
		print "<p>Done. File $filename uploaded to Server ($totalbytes bytes)";
	}
	close OUTFILE or die_nice ("Couldn't close $file: $!");
	
}

use CGI;
# my $query = new CGI;
# print $query->header;
# print $query->start_html('Upload html');
# print $query->h1('Upload html');

############################## Main Prog ##############################
#
# This program will allow the user to upload a html file and attempt to load it into the database
#
#

my $q = new CGI;

print $q->header;
print $q->start_html(
	-title => "Activity file Upload",
);
print $q->h3('Use this Page to Upload a DOA activity file to the server'),
	  $q->start_multipart_form(
		  -name    => 'main_form');
print 'Enter a filename, or click on the browse button to choose one: ',
	  $q->filefield(
		  -name      => 'filename',
	  -size      => 40,
	  -maxlength => 80);
print $q->hr;
print $q->submit(-value => 'Upload the file');
print $q->hr;
print $q->a( {-href=>"menu.cgi"}, "Main Menu");
print $q->end_form;

#
# Look for uploads that exceed $CGI::POST_MAX
#

if (!$q->param('filename') && $q->cgi_error()) {
	print $q->cgi_error();
	print <<'EOT';
<p>
The file you are attempting to upload exceeds the maximum allowable file size.
<p>
Please refer to your system administrator
EOT
	print $q->hr, $q->end_html;
	exit 0;
}

#
# Upload the file
#

if ($q->param()) {
	save_file($q);
}

print $q->end_html;
exit 0;

#-------------------------------------------------------------

